Imagine you saying “EAT ICE-CREAM” to your kids all the time instead of saying “NOT EVERYDAY”. What if it happens as soon as you see your child? Even though you want to say the right thing, wrong words come out of your mouth for an unknown reason. SQL injection attack works similar to this in a nutshell.
I have used this nightmare parenting example as a metaphor to explain how SQL injection works. Check out my previous cyber sketch for the introduction.
The standard SQL query looks like this:
SELECT * FROM USERS WHERE username="dave" AND password="gotohell"
The attacker manipulates the input when they submit a query to the application, resulting in unintended action. Just like you want to say, “STOP IT. YOU HAD ENOUGH ICE-CREAM”, you will end up saying “EAT ICE-CREAM.” It happens every time because malicious code has programmed you!
The hacker combines a standard SQL query with two conditions as injections (check the second sketch). Even username and password do not match, the condition ‘1’= ‘1’ will always be accurate, bypassing the password authentication process. Now, the attacker has access to all the records.Tags: Data Security Database Security